d71c0b1ad9b3652aaadf0c1ecfdab66e9146f802ff438cd985e8e146226e0684

Analysis

max time kernel
111s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Size

194KB
MD5

83f2b5fa6ce0bf46f0d1474cfecf8c90
SHA1

fd911a3863ed3d0943d4c1397a6d45dd3906164c
SHA256

d71c0b1ad9b3652aaadf0c1ecfdab66e9146f802ff438cd985e8e146226e0684
SHA512

a7d2e436cb5ed8ab38e3818b28cf5ca056b4b638b1384ccdc8126dbaafb287e88631caf689a748cb80a0be24349592c9dd0c8462463386ceb7eaf85fceaf9595
SSDEEP

3072:9Kbje+4j0fundSfUNRbCeR0pN03xWlJ7mlOD6pN03:cbjefndSfUNRbCeKpNYxWlJ7mkD6pNY

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogddhmdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndmeecmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfmbm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opebpdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhfdqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhfdqb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omeini32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noplmlok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaqeogll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oingii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olopjddf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndmeecmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olopjddf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oibpdico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oibpdico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omeini32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaqeogll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opebpdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ollcee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noplmlok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oingii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oipcnieb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfmbm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollcee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oipcnieb.exe

Executes dropped EXE 14 IoCs

pid	Process
2164	Nhfdqb32.exe
2792	Noplmlok.exe
2816	Ndmeecmb.exe
2996	Okfmbm32.exe
1568	Omeini32.exe
2728	Oaqeogll.exe
2576	Opebpdad.exe
2760	Oingii32.exe
876	Ollcee32.exe
2648	Oipcnieb.exe
3060	Olopjddf.exe
2856	Ogddhmdl.exe
2264	Oibpdico.exe
2016	Ockdmn32.exe

Loads dropped DLL 32 IoCs

pid	Process
2120	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
2120	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
2164	Nhfdqb32.exe
2164	Nhfdqb32.exe
2792	Noplmlok.exe
2792	Noplmlok.exe
2816	Ndmeecmb.exe
2816	Ndmeecmb.exe
2996	Okfmbm32.exe
2996	Okfmbm32.exe
1568	Omeini32.exe
1568	Omeini32.exe
2728	Oaqeogll.exe
2728	Oaqeogll.exe
2576	Opebpdad.exe
2576	Opebpdad.exe
2760	Oingii32.exe
2760	Oingii32.exe
876	Ollcee32.exe
876	Ollcee32.exe
2648	Oipcnieb.exe
2648	Oipcnieb.exe
3060	Olopjddf.exe
3060	Olopjddf.exe
2856	Ogddhmdl.exe
2856	Ogddhmdl.exe
2264	Oibpdico.exe
2264	Oibpdico.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ndmeecmb.exe	Noplmlok.exe
File created	C:\Windows\SysWOW64\Fchpmeni.dll	Noplmlok.exe
File created	C:\Windows\SysWOW64\Omeini32.exe	Okfmbm32.exe
File created	C:\Windows\SysWOW64\Ollcee32.exe	Oingii32.exe
File opened for modification	C:\Windows\SysWOW64\Ollcee32.exe	Oingii32.exe
File opened for modification	C:\Windows\SysWOW64\Olopjddf.exe	Oipcnieb.exe
File opened for modification	C:\Windows\SysWOW64\Ogddhmdl.exe	Olopjddf.exe
File opened for modification	C:\Windows\SysWOW64\Nhfdqb32.exe	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
File created	C:\Windows\SysWOW64\Jmdkjqpq.dll	Ndmeecmb.exe
File opened for modification	C:\Windows\SysWOW64\Omeini32.exe	Okfmbm32.exe
File opened for modification	C:\Windows\SysWOW64\Oingii32.exe	Opebpdad.exe
File created	C:\Windows\SysWOW64\Ockdmn32.exe	Oibpdico.exe
File created	C:\Windows\SysWOW64\Oaqeogll.exe	Omeini32.exe
File created	C:\Windows\SysWOW64\Ogddhmdl.exe	Olopjddf.exe
File created	C:\Windows\SysWOW64\Oibpdico.exe	Ogddhmdl.exe
File created	C:\Windows\SysWOW64\Khhaomjd.dll	Oibpdico.exe
File created	C:\Windows\SysWOW64\Ndmeecmb.exe	Noplmlok.exe
File created	C:\Windows\SysWOW64\Okfmbm32.exe	Ndmeecmb.exe
File created	C:\Windows\SysWOW64\Olopjddf.exe	Oipcnieb.exe
File created	C:\Windows\SysWOW64\Hbfdeplh.dll	Oipcnieb.exe
File created	C:\Windows\SysWOW64\Hgmgcagc.dll	Ogddhmdl.exe
File opened for modification	C:\Windows\SysWOW64\Okfmbm32.exe	Ndmeecmb.exe
File created	C:\Windows\SysWOW64\Oingii32.exe	Opebpdad.exe
File opened for modification	C:\Windows\SysWOW64\Oipcnieb.exe	Ollcee32.exe
File opened for modification	C:\Windows\SysWOW64\Oibpdico.exe	Ogddhmdl.exe
File created	C:\Windows\SysWOW64\Noplmlok.exe	Nhfdqb32.exe
File created	C:\Windows\SysWOW64\Ibjenkae.dll	Omeini32.exe
File created	C:\Windows\SysWOW64\Pkgjak32.dll	Oaqeogll.exe
File created	C:\Windows\SysWOW64\Dcihik32.dll	Opebpdad.exe
File created	C:\Windows\SysWOW64\Giedhjnn.dll	Oingii32.exe
File created	C:\Windows\SysWOW64\Dogbkiop.dll	Ollcee32.exe
File created	C:\Windows\SysWOW64\Ebakdbbk.dll	Olopjddf.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmn32.exe	Oibpdico.exe
File created	C:\Windows\SysWOW64\Nhfdqb32.exe	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
File opened for modification	C:\Windows\SysWOW64\Noplmlok.exe	Nhfdqb32.exe
File opened for modification	C:\Windows\SysWOW64\Oaqeogll.exe	Omeini32.exe
File created	C:\Windows\SysWOW64\Opebpdad.exe	Oaqeogll.exe
File created	C:\Windows\SysWOW64\Oipcnieb.exe	Ollcee32.exe
File created	C:\Windows\SysWOW64\Dmlibo32.dll	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
File created	C:\Windows\SysWOW64\Edljdb32.dll	Nhfdqb32.exe
File created	C:\Windows\SysWOW64\Liopnp32.dll	Okfmbm32.exe
File opened for modification	C:\Windows\SysWOW64\Opebpdad.exe	Oaqeogll.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2972	2016	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaqeogll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhfdqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oipcnieb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogddhmdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfmbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olopjddf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oibpdico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndmeecmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omeini32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opebpdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oingii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollcee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noplmlok.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noplmlok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdkjqpq.dll"	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opebpdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ollcee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omeini32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhfdqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchpmeni.dll"	Noplmlok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndmeecmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaqeogll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oingii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ollcee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogddhmdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaqeogll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oingii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giedhjnn.dll"	Oingii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlibo32.dll"	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noplmlok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okfmbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olopjddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liopnp32.dll"	Okfmbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omeini32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oibpdico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oibpdico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dogbkiop.dll"	Ollcee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oipcnieb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oipcnieb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olopjddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmgcagc.dll"	Ogddhmdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhfdqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edljdb32.dll"	Nhfdqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okfmbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjenkae.dll"	Omeini32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebakdbbk.dll"	Olopjddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll"	Oibpdico.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkgjak32.dll"	Oaqeogll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opebpdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcihik32.dll"	Opebpdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdeplh.dll"	Oipcnieb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogddhmdl.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2164	2120	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe	30
PID 2120 wrote to memory of 2164	2120	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe	30
PID 2120 wrote to memory of 2164	2120	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe	30
PID 2120 wrote to memory of 2164	2120	83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe	30
PID 2164 wrote to memory of 2792	2164	Nhfdqb32.exe	31
PID 2164 wrote to memory of 2792	2164	Nhfdqb32.exe	31
PID 2164 wrote to memory of 2792	2164	Nhfdqb32.exe	31
PID 2164 wrote to memory of 2792	2164	Nhfdqb32.exe	31
PID 2792 wrote to memory of 2816	2792	Noplmlok.exe	32
PID 2792 wrote to memory of 2816	2792	Noplmlok.exe	32
PID 2792 wrote to memory of 2816	2792	Noplmlok.exe	32
PID 2792 wrote to memory of 2816	2792	Noplmlok.exe	32
PID 2816 wrote to memory of 2996	2816	Ndmeecmb.exe	33
PID 2816 wrote to memory of 2996	2816	Ndmeecmb.exe	33
PID 2816 wrote to memory of 2996	2816	Ndmeecmb.exe	33
PID 2816 wrote to memory of 2996	2816	Ndmeecmb.exe	33
PID 2996 wrote to memory of 1568	2996	Okfmbm32.exe	34
PID 2996 wrote to memory of 1568	2996	Okfmbm32.exe	34
PID 2996 wrote to memory of 1568	2996	Okfmbm32.exe	34
PID 2996 wrote to memory of 1568	2996	Okfmbm32.exe	34
PID 1568 wrote to memory of 2728	1568	Omeini32.exe	35
PID 1568 wrote to memory of 2728	1568	Omeini32.exe	35
PID 1568 wrote to memory of 2728	1568	Omeini32.exe	35
PID 1568 wrote to memory of 2728	1568	Omeini32.exe	35
PID 2728 wrote to memory of 2576	2728	Oaqeogll.exe	36
PID 2728 wrote to memory of 2576	2728	Oaqeogll.exe	36
PID 2728 wrote to memory of 2576	2728	Oaqeogll.exe	36
PID 2728 wrote to memory of 2576	2728	Oaqeogll.exe	36
PID 2576 wrote to memory of 2760	2576	Opebpdad.exe	37
PID 2576 wrote to memory of 2760	2576	Opebpdad.exe	37
PID 2576 wrote to memory of 2760	2576	Opebpdad.exe	37
PID 2576 wrote to memory of 2760	2576	Opebpdad.exe	37
PID 2760 wrote to memory of 876	2760	Oingii32.exe	38
PID 2760 wrote to memory of 876	2760	Oingii32.exe	38
PID 2760 wrote to memory of 876	2760	Oingii32.exe	38
PID 2760 wrote to memory of 876	2760	Oingii32.exe	38
PID 876 wrote to memory of 2648	876	Ollcee32.exe	39
PID 876 wrote to memory of 2648	876	Ollcee32.exe	39
PID 876 wrote to memory of 2648	876	Ollcee32.exe	39
PID 876 wrote to memory of 2648	876	Ollcee32.exe	39
PID 2648 wrote to memory of 3060	2648	Oipcnieb.exe	40
PID 2648 wrote to memory of 3060	2648	Oipcnieb.exe	40
PID 2648 wrote to memory of 3060	2648	Oipcnieb.exe	40
PID 2648 wrote to memory of 3060	2648	Oipcnieb.exe	40
PID 3060 wrote to memory of 2856	3060	Olopjddf.exe	41
PID 3060 wrote to memory of 2856	3060	Olopjddf.exe	41
PID 3060 wrote to memory of 2856	3060	Olopjddf.exe	41
PID 3060 wrote to memory of 2856	3060	Olopjddf.exe	41
PID 2856 wrote to memory of 2264	2856	Ogddhmdl.exe	42
PID 2856 wrote to memory of 2264	2856	Ogddhmdl.exe	42
PID 2856 wrote to memory of 2264	2856	Ogddhmdl.exe	42
PID 2856 wrote to memory of 2264	2856	Ogddhmdl.exe	42
PID 2264 wrote to memory of 2016	2264	Oibpdico.exe	43
PID 2264 wrote to memory of 2016	2264	Oibpdico.exe	43
PID 2264 wrote to memory of 2016	2264	Oibpdico.exe	43
PID 2264 wrote to memory of 2016	2264	Oibpdico.exe	43
PID 2016 wrote to memory of 2972	2016	Ockdmn32.exe	44
PID 2016 wrote to memory of 2972	2016	Ockdmn32.exe	44
PID 2016 wrote to memory of 2972	2016	Ockdmn32.exe	44
PID 2016 wrote to memory of 2972	2016	Ockdmn32.exe	44

C:\Users\Admin\AppData\Local\Temp\83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe
"C:\Users\Admin\AppData\Local\Temp\83f2b5fa6ce0bf46f0d1474cfecf8c90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\Nhfdqb32.exe
  C:\Windows\system32\Nhfdqb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\Noplmlok.exe
    C:\Windows\system32\Noplmlok.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Ndmeecmb.exe
      C:\Windows\system32\Ndmeecmb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\Okfmbm32.exe
        
        C:\Windows\system32\Okfmbm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\SysWOW64\Omeini32.exe
        
        C:\Windows\system32\Omeini32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Oaqeogll.exe
        
        C:\Windows\system32\Oaqeogll.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Opebpdad.exe
        
        C:\Windows\system32\Opebpdad.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Oingii32.exe
        
        C:\Windows\system32\Oingii32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ollcee32.exe
        
        C:\Windows\system32\Ollcee32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Oipcnieb.exe
        
        C:\Windows\system32\Oipcnieb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Olopjddf.exe
        
        C:\Windows\system32\Olopjddf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ogddhmdl.exe
        
        C:\Windows\system32\Ogddhmdl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Oibpdico.exe
        
        C:\Windows\system32\Oibpdico.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ockdmn32.exe
        
        C:\Windows\system32\Ockdmn32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 140
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ndmeecmb.exe

Filesize
194KB

MD5
d21b9eb821852e787aa84730e2bfb961

SHA1
89a3162fae379f956330dfb76f237d25d9ebaed6

SHA256
6ddc2617c46e9f59d0fd454c283313355be23c8828f854af24f6d6c7ffc1d042

SHA512
50ef760cd0907f2522f90b026815c0c6e617afe5acae05b608934b37986e2eacfe0d0b550ba8bfbcc4694055692e1c50d3b38ba0ba9a7628b33d0aba5e4f36a9

Download Submit
C:\Windows\SysWOW64\Oaqeogll.exe

Filesize
194KB

MD5
72bc99d9c9ae8ad54d30ae9a497b9517

SHA1
5cd6ffe4d2a0ef7cbe94157d59bdc217c646f819

SHA256
a0a637b3bc73da2e559841e7477438b98266da57cd4f84699e905d9b5bcca872

SHA512
18d9a0f3c40f9e1ee56525f9d59d109af083270bb4197fde3429bc415829ad2ee456e46108cbc42e88143290829c8b1fce5271d73fdb37b50fff0db0c62a0b48

Download Submit
C:\Windows\SysWOW64\Okfmbm32.exe

Filesize
194KB

MD5
1203162769e5cf5404c4c6ac4a026f7c

SHA1
a6ebb6d80cd1c28862ac0f0d2576d0b0223a0ef2

SHA256
93e05f7b40378b2372945cc49e9992b678522dc86f4371307cc0dad0d3ea590d

SHA512
eac59adc6446b5f1203260cd93f21840e82f854129c46d799992e9eb717f4332bee3238c99b7ab39925190b3ef1965142ce7e49c38c791570ae08872aa7af25f

Download Submit
\Windows\SysWOW64\Nhfdqb32.exe

Filesize
194KB

MD5
feb0c6a8c9c30fdb564d2a650b32716f

SHA1
5a55b9ac881998f930d63cabdc85b7a739a13e3f

SHA256
fe4f6e2ad0f1a78ba198cf290f879ee177d762faf977b1c03207bef1685dd4f3

SHA512
e8892ef94acca6d8891fc09ae97e651feaff0a5ab8da56088a76361e542837b5394a456252eab0b6e7d8d2051f0c8bbc5848773ce26081f47a43d9fa37c27bcb

Download Submit
\Windows\SysWOW64\Noplmlok.exe

Filesize
194KB

MD5
c2385e22ec4435725f0a0d5fa345bb84

SHA1
f68023bfbc4b52e7b9bd67d282058e47951b17cf

SHA256
ffae54fa928c43797f6d7542280565b6a0cc3b5bbd06ef961c692331257d6f72

SHA512
ace48f82b5528a58360d1f0047ba958f9e4be7036861f5d3263caaa48a9c174d29b53aea8acbf91f22cad30b73fdc7c9e6b2556a36c976f1ab27c90c4a045667

Download Submit
\Windows\SysWOW64\Ockdmn32.exe

Filesize
194KB

MD5
a32a87693a286bc9d67cf738bd562510

SHA1
eceb23c5ba1e6005b3358fb532e075a2a8bc9e15

SHA256
94d425ee8645ea1b4c31b99d37cd852c550cb3762a34caae2fdeffe72856b0e7

SHA512
bd29f3c9332b2353714203eb33bd083aff334d763d098e8fb1f113f877ba5e845ddcea13f48f37c4a78d29dc32e87870a8bfd169e653821754d25ed3deba7777

Download Submit
\Windows\SysWOW64\Ogddhmdl.exe

Filesize
194KB

MD5
a0c55a345fa927366ea44c69f609c6cf

SHA1
55b78d635202a335274ac68da671dc0d220a5fba

SHA256
254330f708daff2ac38c3b56df35671ea93b66a06fc01796aa134b97f1b62386

SHA512
74e99987e40d3be298ab81b8a69c6cdc4785634fc9110b6673c8aa8b0b1cfb399260b5778c2bd47057ebb714e75046e8c95d1eed966f873e1d3e7bef3b07616d

Download Submit
\Windows\SysWOW64\Oibpdico.exe

Filesize
194KB

MD5
b1ad3d96d77cc2efbaf01f78c79fd80d

SHA1
a062ccc196dd7fe95ca0bf1659f4c28fe8556a3a

SHA256
f7d0d4334dba0e05393fd9eb40ce81d259db4a83d7a42d656047b8124b3f87b7

SHA512
8d347f5605dcef128b19bc536b211ff59ed60e45d3a6404d5c49719814350e761c1d697a48537763d70ca92a379d99b4a5fc8164c8661bd25088edb4047d9288

Download Submit
\Windows\SysWOW64\Oingii32.exe

Filesize
194KB

MD5
ca6b09738c9f7aa443a839e7e6b85daa

SHA1
32e05c18cf08c335bde3d430c37282aaa0dbfe9c

SHA256
7b43406720fba5e9c46155cfac4c21a01837bd72bbfd5a2cb2f58a4ee06a624c

SHA512
72ffdb12fb3311d1a1e771f0c1b0f4fe1f873b3016ca14b56836a3dce71f53ffe54e40086d1e52c60b67270b400bf7ba778653cc7a1546a7959dac694b7114bd

Download Submit
\Windows\SysWOW64\Oipcnieb.exe

Filesize
194KB

MD5
7f958d668e845044ed4bdc0ed193e914

SHA1
9fe5efec22d3ad14c70a3cfcc3f893995734dd72

SHA256
7102fb8a44a96f7df9b3eef7f536136644feaaff924acca1ef8a91e237d2a021

SHA512
ebffb082a872b6aea285a75bc6d84550ae817116149242bb503f2ec84c40fbe0087add43d40ba25dcb734862a423cf4f71c9f5875621761ba4d733e642b3150f

Download Submit
\Windows\SysWOW64\Ollcee32.exe

Filesize
194KB

MD5
bcf87bb3675ffc8c3677ae8db1bdd02a

SHA1
6f98a0038d04ad19ed90e1d17523e922d89534bc

SHA256
ab22ea8244142a050da69814064c1506ae8e1cce834decad2a529a7ce3a1b2e9

SHA512
dcc1e8318a5c0c98ec060732fe025f8ee23a20ababfc9efae59b86c1b9923a4a8865e7979995e8c788405a1fd19787319e95c7b9eb31449ff28af4d2b67bb18f

Download Submit
\Windows\SysWOW64\Olopjddf.exe

Filesize
194KB

MD5
de0b150e8bce7e4ff906e34584415b42

SHA1
d3d57e183b6ac8d44c928330a62d466ba18fc4f7

SHA256
1f776bc3d2ed209fc37dc4e3dec88060b9be282e00ccd024fbe576fe3fcd14b5

SHA512
1d731f9c219880da22337294ca2ae163b4687028af7011e292b951571fc88ca9959c2f8cc1782ab6b58d563f82b5602897286b29002ce0435bfe5ee0ee06ecce

Download Submit
\Windows\SysWOW64\Omeini32.exe

Filesize
194KB

MD5
2f9db1f09f2b70a87b11b92dd542fd6b

SHA1
a53c007c13676c7bed857def3520c6554da930d7

SHA256
eba32f45f5a55a99fe93d64ff80a3bebd3d780d5be351ab8a968c721b01d3440

SHA512
820d20c44b2b39fe165be17c4b9daf3bee63bd75d5cde46201b0e0a915ec63aab80fc318793c0e1fcd38e07080eda1f72e971293d86d9f5e507b6cfbeca81fed

Download Submit
\Windows\SysWOW64\Opebpdad.exe

Filesize
194KB

MD5
e797666fcca87492dfe32d620489efb2

SHA1
fc9f2403eb909ff0e4c01dea3d6bbcdb4bfa205a

SHA256
38260358381fad983953f3437dd4fbed1776d515f845530c0ff0d6e6ac16ce33

SHA512
646f3c903b11d62957d478e98c1704cbdbea0afeb0f1c4b7dc5f6eee0bf22baf798befdb6437bc4d98b58eba632b38324cd250986d3486643e9d8c21387791c2

Download Submit
memory/876-116-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/876-244-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1568-236-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2016-183-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2120-12-0x0000000000270000-0x00000000002CB000-memory.dmp

Filesize
364KB

Download
memory/2120-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2120-226-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2164-228-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2164-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2264-176-0x00000000004D0000-0x000000000052B000-memory.dmp

Filesize
364KB

Download
memory/2264-168-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2264-254-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2264-182-0x00000000004D0000-0x000000000052B000-memory.dmp

Filesize
364KB

Download
memory/2576-240-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2576-90-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2576-98-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/2648-246-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2728-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2728-88-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/2728-238-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2760-242-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2792-230-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2792-43-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2816-232-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2816-50-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/2856-167-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/2856-250-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2996-234-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3060-153-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/3060-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3060-248-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads